package uk.ac.ox.ctl.lti13;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.net.URI;
import java.security.KeyPair;
import java.time.Instant;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Objects;
import java.util.UUID;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.RequestEntity;
import org.springframework.http.converter.FormHttpMessageConverter;
import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
import org.springframework.stereotype.Component;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.RestTemplate;

@Component
/* loaded from: input_file:uk/ac/ox/ctl/lti13/TokenRetriever.class */
public class TokenRetriever {
    private final KeyPairService keyPairService;
    private final Logger log = LoggerFactory.getLogger(TokenRetriever.class);
    private int jwtLifetime = 60;
    private final RestTemplate restTemplate = new RestTemplate(Arrays.asList(new FormHttpMessageConverter(), new OAuth2AccessTokenResponseHttpMessageConverter()));

    public TokenRetriever(KeyPairService keyPairService) {
        this.keyPairService = keyPairService;
        this.restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
    }

    public void setJwtLifetime(int i) {
        this.jwtLifetime = i;
    }

    public OAuth2AccessTokenResponse getToken(ClientRegistration clientRegistration, String... strArr) throws JOSEException {
        if (strArr.length == 0) {
            throw new IllegalArgumentException("You must supply some scopes to request.");
        }
        Objects.requireNonNull(clientRegistration, "You must supply a clientRegistration.");
        MultiValueMap<String, String> buildFormData = buildFormData(createJWT(clientRegistration), strArr);
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON_UTF8));
        return (OAuth2AccessTokenResponse) this.restTemplate.exchange(new RequestEntity(buildFormData, httpHeaders, HttpMethod.POST, URI.create(clientRegistration.getProviderDetails().getTokenUri())), OAuth2AccessTokenResponse.class).getBody();
    }

    private SignedJWT createJWT(ClientRegistration clientRegistration) throws JOSEException {
        KeyPair keyPair = this.keyPairService.getKeyPair(clientRegistration.getRegistrationId());
        if (keyPair == null) {
            throw new NullPointerException("Failed to get keypair for client registration: " + clientRegistration.getRegistrationId());
        }
        RSASSASigner rSASSASigner = new RSASSASigner(keyPair.getPrivate());
        SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.RS256).type(JOSEObjectType.JWT).build(), new JWTClaimsSet.Builder().issuer(clientRegistration.getClientId()).subject(clientRegistration.getClientId()).audience(clientRegistration.getProviderDetails().getTokenUri()).issueTime(Date.from(Instant.now())).jwtID(UUID.randomUUID().toString()).expirationTime(Date.from(Instant.now().plusSeconds(this.jwtLifetime))).build());
        signedJWT.sign(rSASSASigner);
        if (this.log.isDebugEnabled()) {
            this.log.debug("Created signed token: {}", signedJWT.serialize());
        }
        return signedJWT;
    }

    private MultiValueMap<String, String> buildFormData(SignedJWT signedJWT, String[] strArr) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("grant_type", "client_credentials");
        linkedMultiValueMap.add("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        linkedMultiValueMap.add("scope", String.join(" ", strArr));
        linkedMultiValueMap.add("client_assertion", signedJWT.serialize());
        return linkedMultiValueMap;
    }
}
